The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies

"The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to extensive interviews with government and corporate sources..."

I would think they would have to deny the claims else they would have to go public with just what and how much they and their customers were exposed, it could cost them millions. Imagine if they hid one in every iPhone and iPad?

Recalling and replacing that many phones and IPads along with the lawsuits and bad publicity that went along with it would destroy the company.

This does make one wonder just where China's technological advancement would be today without industrial espionage and reverse engineering.

...
Recalling and replacing that many phones and IPads along with the lawsuits and bad publicity that went along with it would destroy the company.

...

Click to expand...

The suspect "backdoor" chips are on the motherboard of servers used by large American companies, banks and US Govt agencies, including Apple. The chips are said to allow the attackers to create a stealth doorway into any network that included the altered machines.

The October 8, 2018 issue of Bloomberg Businessweek incorrectly reports that Apple found “malicious chips” in servers on its network in 2015. As Apple has repeatedly explained to Bloomberg reporters and editors over the past 12 months, there is no truth to these claims.
Apple provided Bloomberg Businessweek with the following statement before their story was published:

Decoding the Chinese Super Micro super spy-chip super-scandal: What do we know – and who is telling the truth?

The story, which has been a year in the making and covers events it says happened three years ago, had a huge impact on the markets: the company at the center of the story, San Jose-based Super Micro, saw its share price drop by nearly 50 per cent; likewise Apple's share price dropped by just under two per cent, and Amazon's dropped by more than two per cent.

But the article has been strongly denied by the three main companies involved: Apple, Amazon, and Super Micro. Each has issued strong and seemingly unambiguous statements denying the existence and discovery of such chips or any investigation by the US intelligence services into the surveillance implants.

The UK's National Cyber Security Centre (NCSC) said it had no cause to doubt statements made by Apple and Amazon yesterday, denying a Bloomberg report that malicious computer chips were placed inside their equipment by foreign agents.

By Eduard Kovacs on October 05, 2018
Industry professionals contacted by SecurityWeek have commented on various aspects of the story, including the technical details, political impact, and how organizations can defend themselves against such attacks.

"Bloomberg stands by Chinese chip story as Apple, Amazon ratchet up denials...

...Bloomberg reporter Jordan Robertson, one of the article's co-authors, has stood by his story. In a Thursday afternoon appearance on Bloomberg TV, Robertson said that he talked to 17 anonymous sources—both in US intelligence agencies and at affected companies—who confirmed the story..."

After reporting about malicious chips designed to be hardware backdoors being added on Supermicro's server motherboards by Chinese manufacturers, Bloomberg Businessweek reveals that the company's online update portal was also breached in 2015.

I would think they would have to deny the claims else they would have to go public with just what and how much they and their customers were exposed, it could cost them millions. Imagine if they hid one in every iPhone and iPad?

Click to expand...

I can't believe that the US didn't see this one coming. And it's not just the US, I'm sure the EU has also already been infiltrated.

I personally have no clue about the veracity of this story. But I DO know about Stock Market manipulation. Just as a false story of a proposed merger can be planted so that those holding a position on the company that is said to be bought out can benefit when the market goes crazy and runs the stock price of the "company to be acquired" up to the moon, a rumor can also be planted to make a stock tank.

It works like this: plant a negative story, and then let the public FREAK OUT AND SELL (Lenovo stock lost ~23% and ZTE lost another 14% in Hong Kong on Friday). I can just image some Fat Fools laughing their ample behinds off about this (while spending the money they made on the Short).

Sow a Lie in the Morning and you can be assured of a Harvest in the Evening.

Considering the damage a rogue chip on a networked device can do, governments should have already legislated to force manufacturers to document every functionality of every chip on its device boards and face huge fines if they are found to be lying.

The Department of Homeland Security is aware of the media reports of a technology supply chain compromise. Like our partners in the UK, the National Cyber Security Centre, at this time we have no reason to doubt the statements from the companies named in the story. Information and communications technology supply chain security is core to DHS’s cybersecurity mission and we are committed to the security and integrity of the technology on which Americans and others around the world increasingly rely. Just this month – National Cybersecurity Awareness Month – we launched several government-industry initiatives to develop near- and long-term solutions to manage risk posed by the complex challenges of increasingly global supply chains. These initiatives will build on existing partnerships with a wide range of technology companies to strengthen our nation’s collective cybersecurity and risk management efforts...”

Security researcher Joe Fitzpatrick, one of the few sources named in Bloomberg Businessweek's bombshell Chinese hack investigation, in a podcast this week said he felt uneasy after reading the article in part because its claims almost perfectly echoed theories on hardware implants he shared with journalist Jordan Robertson.

A major U.S. telecommunications company discovered manipulated hardware from Super Micro Computer Inc. in its network and removed it in August, fresh evidence of tampering in China of critical technology components bound for the U.S., according to a security expert working for the telecom company..."

When asked what, exactly, he found strange about Bloomberg's claims, Fitzpatrick said, "It was surprising to me that in a scenario where I would describe these things and then he would go and confirm these and 100% of what I described was confirmed by sources." ~ op cit

"Spreading hardware fear, uncertainty and doubt is entirely in my financial gain, but it doesn't make sense because there are so many easier ways to do this," Fitzpatrick said, referring to the purported hardware implant. "There are so many easier hardware ways, there are software, there are firmware approaches. There approach you are describing is not scalable. It's not logical. It's not how I would do it. Or how anyone I know would do it." ~ op cit

Robertson was unable to produce photographic evidence of the chips in question, saying they were described to him by protected sources. Indeed, Robertson in September asked Fitzpatrick what a "signal amplifier or coupler" looks like, suggesting the publication narrowed the attack package down to that particular component. Fitzpatrick sent Robertson a link to a very small signal coupler sold by Mouser Electronics.

"Turns out that's the exact coupler in all the images in the story," Fitzpatrick said.

While the illustration used in the Bloomberg story is just that, Fitzpatrick argues similar components would be an unlikely choice for the attack vector described. Larger, albeit less conspicuous hardware is available, namely chips that mimic the SOIC-8 package. Further, pint-size signal couplers are not standard fare for server motherboards that do not include Wi-Fi or LTE.

"But it's just not the easiest package to choose to use with something like this, it's not a package you'd expect to find in a motherboard," he said. "It's something where if it's on your motherboard you'd be like, 'What the heck is that doing there for?'"

NSA official: Bloomberg story created a frenzied, fruitless search for supporting evidence

A news report claiming a compromise of U.S. companies’ supply chains by Chinese spies has triggered a thorough search in government and industry for evidence of the breach that has so far turned up nothing, according to a senior National Security Agency official, who expressed concern that the search was a distraction and potentially a waste of resources.

“I have grave concerns about where this has taken us,” Rob Joyce said Wednesday at the U.S. Chamber of Commerce. “I worry that we’re chasing shadows right now.”